Americans are extremely sensitive about their health histories. They consider their health records and medication information to be more sensitive than the content of their phone conversations, texts and email messages. Given these concerns, the Office for Civil Rights at the Department of Health and Human Services is assigned with the delicate and important task of protecting patients’ health information privacy rights through the Health Insurance Portability and Accountability Act (HIPAA), a part of which includes data breach protections.
When a health care information breach happens, health care organizations must report it to the HHS civil rights office. But when a breach is assumed to have exposed 500 or more patient records, the civil rights office is required to post it publicly on its website: in industry terms, the “wall of shame.”
Transparency is inherently good, as it intends to create awareness among patients. Similar public reporting initiatives in the health care industry have proven effective in performance improvement by creating competition among organizations. However, in its current format, the HHS Office for Civil Right’s wall of shame neither creates awareness nor motivates privacy protection efforts in health care industry.
Privacy breaches happen for various reasons and under many different circumstances. On one end, an organization may be ignorant of its security technology and lack accountability when it comes to patient privacy; on the other end, a password-protected laptop may be stolen or an unencrypted thumb drive may be lost, even if the organization had the necessary precautions in place.
The Office for Civil Rights posts all of these incidents on its website without stating how exactly the breach happened and whether or not the organization is found responsible for the breach. In other words, the office publishes the list of indicted without its own rulings, leaving us wondering if an organization is the victim of the breach or is indeed responsible for it.
Every breach is an expensive learning experience for the involved organizations. Yet the lessons learned from these tragic experiences are never shared with the other entities in the health care sector. As long as the factors that lead to privacy breaches are not documented and shared, others are equally likely to experience the same incidents in the future. The current practice of public shaming by the Office for Civil Rights does very little in preventing future breaches and instead creates a culture in which victims are vilified and dissuaded from honest and open information sharing.
By keeping information from the public and painting both victims and culprits with the same brush, the Office for Civil Rights creates unnecessary anxiety among patients without providing them with any useful and actionable information. The Office for Civil Rights should overhaul its current website and publish detailed information about breaches, indicating its own ruling for each case and subsequent penalties. More importantly, the office should lead efforts to change the current punitive culture of pointing fingers and dealing with each breach as an isolated case to a culture focused on investigating root causes and creating a systematic approach to actually prevent privacy breaches in the future.